OT Vulnerability

Management
That Really
Moves the
Needle

How to Stop the Security

Theater and Make Actual
Progress in Securing OT
Assets
The Challenge of Vulnerability
Management in OT
If you’re attempting OT vulnerability
management, you already know that what you’re
working on is difficult.
You’re playing a game that’s far different from
IT vulnerability management – and, honestly, far
harder to win – thanks to three main challenges:
1. There are so many OT vulnerabilities
that fixing them all is impossible.
Most organizations are facing hundreds of
thousands of existing common vulnerabilities
and exposures (CVEs) with new ones coming
in regularly. It’s like a game of Tetris played at
maximum speed, and your organization was
already buried before you began.
2. Patching is costly and challenging.
You can’t set up automatic patching in OT;
security patches represent configuration changes
which engineers want to avoid, and which
are often not covered by vendor warranties.
Plus, many OT computers run 24/7 and can’t
be rebooted except during planned outages.
Patching also may require travel, which is costly,
and difficult to arrange thanks to COVID.
3. It’s hard to get full visibility on
vulnerabilities.
CVEs are only one form of vulnerability. Proper
management must also account for configuration
vulnerabilities (like default passwords) and tech-
nology that is unsecure by design. And even if you
know every vulnerability you face, you still need
data to prioritize them based on asset context
and criticality.
If you’re in IT, you don’t want to hear these things
– but you need to. Here’s the bottom line:
The bad news is that there is no
easy, quick fix for OT vulnerability
management. But the good news
is that there is a real solution:
Strategic OT vulnerability
management that’s carried
out with determination and
perseverance.
1
The Solution to Vulnerability
Management
The path forward is not to immediately patch
every new CVE that’s discovered. It’s to prioritize
vulnerabilities and address them via a long-
term approach. Put simply, OT vulnerability
management requires OT asset management.
With that in mind, here’s what you need to have
if you want to improve your OT vulnerability
management:
1. Vulnerability data on every OT asset.
If you don’t know your OT vulnerabilities, then
you can’t address them. You need comprehensive
data on every OT device you have, including
existing CVEs, patch statuses and their effects
on CVEs, physical location data, and network
topology diagrams. Given that the average OT
computer has over 1,000 vulnerabilities, we’re
talking about a lot of data.
2. The ability to prioritize vulnerabilities
based on the big picture.
Having the data is not enough. You need to be
able to understand how vulnerabilities fit into the
larger OT picture so that you can prioritize how
you’ll address them. Instead of addressing CVEs
with a “Critical” severity rating first, you need to
understand how likely a given vulnerability is to
be exploited and how damaging exploitation
could be. This requires a big picture view
that accounts for things like the age of the
vulnerability and the asset’s level of exposure on
the network.
3. A plan to reduce your backlog of
vulnerabilities while addressing new
ones.
Once you’re able to prioritize your vulnerabilities,
the final step is a plan of attack. This involves
building up a cybersecurity capability that allows
you to reduce your backlog of vulnerabilities
while mitigating new CVEs quicker than they flow
in. Network security, application whitelisting, and
system hardening instead of patching – these are
the tactics that will improve your OT vulnerability
management.
With this approach, you can simultaneously
reduce the speed of the Tetris game while also
addressing new issues as they come in. Fixing
today’s vulnerability doesn’t move the needle, but
incremental improvement, over time, will lead to
a more secure OT stance.
2
How OT-
BASE Makes
Vulnerability
Management
More Effective

We’ve designed the

OT-BASE OT asset
management software
to make OT vulnerability
management as efficient
and effective as possible.
Here’s how it delivers on
the solutions outlined
above.
3
1. Use OT-BASE Asset Management to create a comprehensive OT inventory.
Using active probing with legitimate industrial protocol functions to gather asset information, OT-BASE Asset Discovery discovers data for every
device on your networks, including software configuration, serial numbers, network connectivity, and, of course, patches and CVEs. Everything can
be stored in OT-BASE Asset Management so that there’s a single source of truth for your OT devices and data.

4
2. Drill down into CVE data for individual devices.
Using OT-BASE, you can see which CVEs impact a specific device and how that device is connected to other devices via OT-BASE device profiles.
Profiles contain all essential data for a specific device in a dedicated web page – pictures, a timeline, links to connected devices, and so on.

5
3. See new vulnerabilities as they come in.
The OT-BASE events page is home to a dashboard that informs you of recent events in various categories, including CVEs and new problem reports.

You can view graphs showing the number of events over time, and set the platform to reinspect every day, every week, or every 30 days, so that you
always have relevant data.

6
4. Analyze the impact of individual CVEs on your installed base.
OT-BASE also provides a CVE list of all known vulnerabilities for your installed base. You can filter for specific locations, device groups, networks,
and more, to get an understanding of how vulnerabilities are distributed.

To help with visualizing the data, OT-BASE also features a 3-D attack surface map, which reveals CVEs in respect to CVSS base score, number of
vulnerable devices, and device criticality. It allows an analyst to get a first, visual impression of which CVEs to focus on for risk reduction. The size of
rectangles represents the number of vulnerable devices, the color of rectangles represents CVSS base score, and the elevation (Z axis) represents
compound device criticality.

7
5. See the big picture with a customizable dashboard.
OT-BASE Vantage is an analytical dashboard that allows you to explore key characteristics of your installed OT-BASE, including its known
vulnerabilities and its protective status, so that you can develop a strategic management approach. This dashboard is not integrated into OT-BASE
Asset Center, but exists as an external standalone application, allowing you to do offline processing.

8
6. Produce comprehensive white-label reports with a click of the mouse.
Part of addressing vulnerabilities is communicating critical information to internal stakeholders and auditors. You can use OT-BASE Report Writer
to automatically generate a white label assessment or audit report based on asset data from OT-BASE Asset Center. The report is stored as a
Microsoft Word document that you can modify, and includes diagrams, tables, and text elements which can be customized based on the data you
need to share.

9
7. Integration with top tools to keep your workflow seamless.
The OT-BASE REST API can be integrated with other systems so that you can dynamically exchange inventory data wherever it’s needed. For
example, OT-BASE has a pre-built Technical Add-on for Splunk that allows Splunk users to process asset and vulnerability data from OT-BASE in
Splunk. This means that you can use your current suite of tools while integrating real OT vulnerability data into your stack.

10
These features, and
others, will allow you to
gain vulnerability data on
every OT asset, prioritize
vulnerabilities based on the
big picture, and create a
plan to reduce your backlog
of vulnerabilities while
addressing new ones. This
is the key to doing real OT
vulnerability management,
as opposed to simply
enacting security theater
by scrambling to patch the
latest CVE.

11
Ready for Real
OT Vulnerability
Management?
This is a challenging endeavor, but you can make real We can discuss:
progress over time.
• Your use case scenarios
OT-BASE can allow you to manage known • Software integration
vulnerabilities that affect your installed base using a • Pricing and licensing
systematic and straightforward workflow. It provides • Technical details
the tools you need to create a strategic, effective plan • The roadmap to launch
that will get OT security up to speed in the long-term.
You’ll be able to see the platform in action, and the
If you’re interested in learning more you and your team grill us, the more you will
benefit.
more about OT-BASE, let’s
have an honest conversation.
IF YOU’RE READY FOR REAL OT VULNERABILITY
MANAGEMENT, LET’S TALK.
Figuring out if OT-BASE is the right tool for you is an
important task. We can help you with it by providing
frank answers to all your questions. When you
schedule a call, we promise that you won’t be bored www.langner.com
with PowerPoint slides and you won’t be disappointed
by salespeople who can’t answer even the most basic
technical question.